cybernews

fuite de donnée enregistrée

Latest News


CVE-2025-46341 - FreshRSS HTTP Auth Header Impersonation Vulnerability

CVE ID : CVE-2025-46341
Published : June 4, 2025, 9:15 p.m. | 26 minutes ago
Description : FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping. The attacker has to know the IP address of the proxied FreshRSS instance and the admin's username, while also having an account on the instance. An attacker can send specially crafted requests in order to gain unauthorized access to internal services. This can also lead to privilege escalation like in the demonstrated scenario, although users that have setup OIDC are not affected by privilege escalation. Version 1.26.2 contains a patch for the issue.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 21:15:00 GMT

read more

CVE-2025-48947 - Auth0 Next.js SDK Cache-Control Header Missing Vulnerability

CVE ID : CVE-2025-48947
Published : June 4, 2025, 9:15 p.m. | 26 minutes ago
Description : The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for someone to be affected by the vulnerability: Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, applications using CDN or edge caching that caches responses with the Set-Cookie header, and if the Cache-Control header is not properly set for sensitive responses. Users should upgrade auth0/nextjs-auth0 to v4.6.1 to receive a patch.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 21:15:00 GMT

read more

CVE-2025-5610 - CodeAstro Real Estate Management System SQL Injection Vulnerability

CVE ID : CVE-2025-5610
Published : June 4, 2025, 9:15 p.m. | 26 minutes ago
Description : A vulnerability, which was classified as critical, has been found in CodeAstro Real Estate Management System 1.0. Affected by this issue is some unknown functionality of the file /submitpropertydelete.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 21:15:00 GMT

read more

CVE-2025-5611 - CodeAstro Real Estate Management System SQL Injection Vulnerability

CVE ID : CVE-2025-5611
Published : June 4, 2025, 9:15 p.m. | 26 minutes ago
Description : A vulnerability, which was classified as critical, was found in CodeAstro Real Estate Management System 1.0. This affects an unknown part of the file /submitpropertyupdate.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 21:15:00 GMT

read more

CVE-2025-5612 - PHPGurukul Online Fire Reporting System SQL Injection Vulnerability

CVE ID : CVE-2025-5612
Published : June 4, 2025, 9:15 p.m. | 26 minutes ago
Description : A vulnerability has been found in PHPGurukul Online Fire Reporting System 1.2 and classified as critical. This vulnerability affects unknown code of the file /reporting.php. The manipulation of the argument fullname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 21:15:00 GMT

read more

CVE-2025-22243 - VMware NSX Manager UI Stored XSS Vulnerability

CVE ID : CVE-2025-22243
Published : June 4, 2025, 8:15 p.m. | 1 hour, 27 minutes ago
Description : VMware NSX Manager UI is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper input validation.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 20:15:00 GMT

read more

CVE-2025-22244 - VMware NSX Stored XSS Vulnerability

CVE ID : CVE-2025-22244
Published : June 4, 2025, 8:15 p.m. | 1 hour, 27 minutes ago
Description : VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 20:15:00 GMT

read more

CVE-2025-22245 - VMware NSX Stored XSS Vulnerability

CVE ID : CVE-2025-22245
Published : June 4, 2025, 8:15 p.m. | 1 hour, 27 minutes ago
Description : VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 20:15:00 GMT

read more

CVE-2025-31134 - FreshRSS Path Disclosure Vulnerability

CVE ID : CVE-2025-31134
Published : June 4, 2025, 8:15 p.m. | 1 hour, 27 minutes ago
Description : FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Wed, 04 Jun 2025 20:15:00 GMT

read more

CVE-2025-31136 - FreshRSS Cross-Site Scripting (XSS) Vulnerability

CVE ID : CVE-2025-31136
Published : June 4, 2025, 8:15 p.m. | 1 hour, 27 minutes ago
Description : FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `